November 7, 2024
“In simplest terms, boards are on the hook for management, governance, and disclosure reporting.”
That was Keri Pearlson, executive director of the Cybersecurity at MIT Sloan Research Consortium (CAMS) explaining the impact of a fall 2022 SEC ruling. In short, as an MIT News story from earlier this year summarized, “The ruling requires public companies to disclose whether their boards of directors have members with cybersecurity expertise. Specifically, registrants are required to disclose whether the entire board, a specific board member, or a board committee is responsible for the oversight of cyber risks; the processes by which the board is informed about cyber risks, and the frequency of its discussions on this topic; and whether and how the board or specified board committee considers cyber risks as part of its business strategy, risk management, and financial oversight.”
But a September 2024 CIO.com story headlined “Do Boards understand their new role in cybersecurity?” asked if boards are taking cybersecurity seriously enough. “Most boards fall into the trap of thinking that cybersecurity is a technical issue and focus too much on technical protections and whether the right tools are in place to protect the organization,” former Navistar CIO Julie Ragland told the publication. “But we know that more than 90 percent of cybersecurity incidents start with human behavior error. Cyber incidents are as much a communications and legal challenge as they are a technical challenge, so when boards focus too much on the technical, they miss key areas of responsibility.”
Ragland added, “The dollar amount to cover the totality of a cyber landscape for an organization can be huge,” she says. “The board needs enough understanding of cybersecurity to help prioritize these big investments.”
Gartner concurs. Earlier this year, it called on boards to expand their competency in cybersecurity oversight. Said Richard Addiscott, a Gartner senior analyst, “SRMs leaders must encourage active board participation and engagement in cybersecurity decision making. Act as a strategic advisor, providing recommendations for actions to be taken by the board, including allocation of budgets and resources for security.”
By 2026, Gartner predicts, more than 70 percent of boards will have at least one member with cybersecurity expertise—expertise that companies can no longer afford to silo, effectively handing off responsibility to IT departments. “This enables organizations to move beyond reactive defense,” Forbes noted, “meaning that they can act on new business opportunities that come with being prepared.”
Because not being prepared comes with potential costs—financial, reputational and even criminal. And yet, it seems, not nearly enough companies and organizations are taking preparation seriously. Citing a 2023 Heidrick & Struggles Board Monitor Report, Cybersecurity Magazine revealed that “only 14 percent of non-executive director appointments at the largest publicly listed companies were issued to those with some level of cybersecurity acumen, a decline from 17 percent the year prior.”
It’s a dangerous backward trend in an era when cybercrime costs U.S. businesses alone hundreds of billions of dollars annually and is only getting worse. As the magazine wrote, “Cybersecurity initiatives can sometimes be seen as growth restrictors and barriers to efficiency and productivity, but boards need to recognize that reducing threat risk is an advantage, not only to the business at hand, but also to themselves.”
Remedying the situation, which involves internal education (about risk management, in particular) and external assessments, largely falls to CIOs and CISOs.
“With boards seeking external validation on risks, just as they would financial fiduciary through an audit, it’s the executive responsibility of CIOs to provide them with that information, as well as having a fresh set of eyes on an always changing landscape,” Ragland told CIO.com.
However, she added, security is only one area that requires more tech expertise. Another is “strategic opportunity.” In other words, “How are we using technology to advance our strategies, products, and customer engagements? As boards look to technology skills, they should look for someone who can bring both flavors into the board room.”
It’s also important to venture outside the boardroom, Ragland continued, to meet with members in more casual settings where they might absorb information differently than they do during, say, thrice-annual presentations.
“CIOs should find a few people with the highest technical acumen to meet in more conversational settings,” she said. “The chairs of the audit and risk committees are usually a good place to start, and CIOs can leverage their CEO to jumpstart those meetings.”
Mindsight delivers enterprise managed services to the mid-market across a variety of industries including manufacturing, financial services, government, education – just to name a few. Our solution architects and engineers are expert-level only and are an extension of your IT team. Mindsight is headquartered in Downers Grove, IL, a suburb of Chicago.